Previous Section  < Day Day Up >  Next Section

Tenets of Good Forensic Analysis

When doing forensic analysis on information systems, there are different methods and techniques to use and a variety of software tools to help you. However, there are some basic guidelines that you should always follow if possible.

Operate on a Disconnected System

If possible, completely disconnect the system in question from the network while gathering your data. If the system is connected, you could be dealing with a moving target while collecting the data. Log files can fill up, parts of the disk can get overwritten, and services could die or be shut down. Worst case, if your attackers still have access to the system (and you never can be absolutely sure of this), they might discover your work and take evasive action.

If the system has been taken down by an attack, you might be under considerable pressure to bring it back online as fast as possible. For production systems still up and running, there also might be resistance to taking them offline. It may not be politically popular, but at a minimum, try to take the system offline while you collect your data. Wait until after hours if you have to and advertise it as a system maintenance window. Make a copy of the information in question (the whole hard drive if possible). Then you can return the system to production and minimize users' downtime while you do your work. Which leads to the next point.

Use a Copy of the Evidence

Use data imaging software, such as the dd tool presented later in this chapter, to make a copy of the evidence to work on. If you plan to pursue any legal action, criminal or civil, make two copies and seal one in a tamper-proof container. This protects your chain of custody and makes your case less assailable by charges of tainted evidence. Also, if you accidentally make a mistake and delete some important evidence, you can always return to your known good copy. If possible, take these initial steps in the presence of another witness. It is even better if he or she is an impartial third party. Attach a paper log with the creator's name, date, and time, and then log each time it changes hands with dates and signatures.

Use Hashes to Provide Evidence of Integrity

When making your copies of the data and producing other evidentiary files, it is worthwhile to create a MD5 hash of the data and record it. Some of these tools, such as The Coroner's Toolkit (see the section on Sleuth Kit later in this chapter), will do this for you automatically. You can also use one of the encryption tools mentioned in Chapter 9, such as PGP or GnuPG. Again, if the authenticity of your findings is challenged, you can prove that the copy you worked on was electronically exactly the same as the one on the machine attacked. This also helps you verify differences between files and if any changes were made by system-level utilities.

Use Trusted Boot Media and Executables

Whenever examining a system, it is good practice to boot using a trusted media, such as a boot floppy or CD-ROM. You can create one of these during the OS installation process. Some of these tools create their own bootable environment. This is especially important if you are working on the exploited system. If the attack has managed to compromise the system's binary files using a root kit, then any results you obtain from the utilities on that hard disk should be suspect. In addition to possibly writing over file dates and other crucial data, the attacker may have left certain time bombs or daemons running that could cause further damage or erase evidence.

You can create an incident response disk that includes all of the programs you would need on a bootable CD-ROM. You will need one for Windows and one for UNIX if you are in a mixed environment.

    Previous Section  < Day Day Up >  Next Section